Using Email
Preface
Email is a very old internet standard, predating the world wide web. It was first defined in 1982. It was updated in 2008 and remains in widespread use. It’s not a great protocol by today’s standards, but we’re all stuck with it. You almost certainly already have an email account. Although everyone has an email account, not everyone understands how email works or how to make the most of their account. Almost everyone with an email account just chose the first free, convenient option available for an email service provider. I know that’s what I did at first. Most people just use Gmail, Outlook, Yahoo, AOL, or one of the other top providers. Knowing this has motivated me to write this post because I fear that others are missing out on a better email experience.
Choosing an Email Service Provider
The first step before using email is choosing an email service provider. Email is a federated protocol. This means that no single entity “owns” email. If you want, you can create your own email provider and use it. Instead of john@gmail.com, your domain would be something like john@johnsdomain.com. But running your own mail server can be expensive and time-consuming. Mail servers also have many moving parts and require maintenance, so I won’t be writing about how to set up your own mail server. It’s just not a realistic option for non-technical users of email.
The best alternative to self-hosting is to pick an email service provider wisely. This list is obviously subjective, but here are some criteria which a good email service provider will meet:
- Only free software
- IMAP/POP3 support
- No logs policy
- Inside a privacy-respecting country
- Transparency reports
- Anonymous sign up
- Anonymous payment methods
- 2-factor authentication (TOTP)
- Inbound encryption (PGP)
- Tor support
- Sustainable business model
- Well-established
- Support team / help center
- Migration support
Free Software
The first and most important requirement is that the email provider uses exclusively free software. This means their website and webmail portal do not require proprietary JavaScript. JavaScript licenses should be included somewhere on the site or it should work without JavaScript enabled. Also, all backend software should be free. In other words, if an email provider uses Mac or Windows to host the email server, it’s as good as garbage and you shouldn’t touch it with a ten foot pole. It should probably run on GNU/Linux or FreeBSD. Good email providers support IMAP and POP3 for accessing email. Those protocols allow you to access emails from your own email client on any device. More on that later. Now onto security and privacy.
Privacy and Security
The email provider should have a policy of not keeping logs. This brings me to my next and important point that the email provider needs to reside within a privacy-respecting country. The legal requirements for collecting logs and sharing user data are going to differ depending on which country it’s in. Using an email provider based in the US or the UK is a very bad idea. Those countries don’t have strong privacy considerations and your email data (and metadata) won’t be safe. Email providers in those countries can’t guarantee safety of your emails. You can get a lot of information about what data is collected just by actually reading the Terms of Service when you sign up. Don’t use an email provider like Gmail, Outlook, or Yahoo that logs all your emails and sells them to advertisers. If it’s in the Terms of Service that the service shares non-trivial data with third parties, then that email service is garbage and you shouldn’t use it. In fact, good email providers will never share any data without a court order first. In order to take an email provider’s claims of protecting your data seriously, the email provider should have a transparency report providing as much detail as is legal about what information they can be forced to turn over, when, and how often it actually happens.
Also, email providers can’t share information about you they don’t have. If the email service provider offers anonymous sign up (they don’t request your name, address, phone number or other PII), this is a good sign. They should also offer anonymous payment mechanisms (cash or cryptocurrency). You should not provide personal information just to sign up for an email account. Any email service that requires you to probably doesn’t care very much about your privacy. For security, your email provider should use two-factor authentication to prevent your account from being stolen. In your browser, check the email service’s website for TLS 1.3. If the email service website doesn’t support TLS 1.3, that’s a bad sign. Check that they support DANE/TLSA. They should claim to encrypt the hard disks of the email server or the email accounts themselves to prohibit data theft. They shouldn’t ever send any email data unencrypted. It should always use TLS. The email service should provide you with “inbound encryption”. Inbound encryption means you can generate a key pair and provide the email service your public key to encrypt your emails with. This means the email service encrypts your emails, as they are received, on their servers with a key only you have access to. If your emails are later stolen or requested via court order, the service will only be able to provide encrypted versions of your emails unreadable to anyone except you.
Another good sign is if the email service supports access over Tor. The webmail client should support access over Tor Browser. It shouldn’t block tor connections. If it has an onion address, then the email service went through extra trouble for Tor support. As I said, email providers can’t share information about you they don’t have. If you connect over Tor, you are protecting your IP address. That means you don’t have to trust the email service not to log your IP when you access email.
Business Operations
I’ve gone over some of the technical details, but I haven’t mentioned the business model yet. When you sign up for an email service, you need to check how they are supporting the service financially. There’s a famous adage about online products: “If it’s free, you’re the product”. Unless your email service provider is a subscription service, donation funded or the host is just an altruist, then your emails and metadata are probably being sold to advertisers. Also you’ll want to make sure they are “well-established”. The service provider shouldn’t be too obscure. This is subjective but you probably want a few thousand other people to also be using the service. This is an indicator that the service is reliable. People want email to “just work”. If it has lots of downtime, is slow or it doesn’t work well, it won’t take long for people to switch to another service. Another indicator of reliability is that it has been around for a few years without major data breaches. If there have been data breaches, was the email service quick to respond? Do they have a dedicated 24/7 support team or help center for answering any questions you might have? If you can’t get your emails one day, will you have somebody to contact for support? A highly available, quick-to-reply support team is a good sign that the email service is competent. The email service should also have migration support. Migration support makes it easier to switch email providers if you ever want to use a different one.
Nothing I’ve mentioned gives you a 100% guarantee that the email provider is secure, will stay in operation, doesn’t sell your data to advertisers, or is competent. But the more criteria that the email provider meets, the better the chances that it’s a good one. At some point you have to say “Okay, this email service meets so many criteria of being ethical that it either actually operates ethically or is so good at faking it I could never hope to tell the difference anyway”. Once you do enough research where you can confidently say that, then you should consider using it. There are other features email services provide that I haven’t mentioned such as email aliasing and email storage space. Those depend heavily on how you use email and if I listed all possible features of an email service, I’d never finish this post. But I think I have covered some of the key features to look for when choosing an email service.
Using an Email Client
The most common way by far to access email nowadays is using webmail which is a shame. Webmail is when you access your email account in the browser. Remember that email predates the web, so it doesn’t rely on the web at all. It’s just that people have been spoiled by web apps and never need to leave the browser environment any more. Using an email client, also known as a user agent, is a more satisfying way to use email. It provides functionality such as easy account navigation, email filtering, email flagging, calendaring, contacts, and more. Webmail also provides the same features, but often requires running proprietary JavaScript to accomplish the same tasks. Using an email client gives you a single, unified user experience that you can customize to your liking for all email accounts, even if the accounts are on different email services. Using an email client empowers you to use inbound encryption, managing your encryption keys yourself. I just want to quickly mention that Protonmail requires installing a proprietary bridge application for IMAP and SMTP support. If you want to use Protonmail with your own email client, you’ll have to install their software. I’m not trying to pick on them in particular. I just want to point out it’s more secure to use email clients that work for any email provider, not client programs that the specific email service has home-brewed even if they are free software programs. Individualized email clients and client-related programs likely have less code review and less scrutiny which means you’re less secure using them. Some good email clients are Thunderbird, Evolution or Mutt if you prefer a terminal. Microsoft Outlook is common, but it is proprietary. Don’t use it.
POP3
Since most email users have been totally spoiled by the web, they have never heard the terms POP3 and IMAP. When you use an email client, you will have a choice of which protocol you prefer. POP stands for Post Office Protocol. The first version of POP was created in 1984. POP3 fetches emails from the remote email server, then deletes them from the server. It can be configured not to do that, but that’s its main benefit. If you only check email from a single device and you don’t want your emails hanging around on someone else’s computer, then POP is the way to go. Sent emails are stored in the client you sent them. Deleted emails are only deleted in the client you deleted them in. So POP is not a good protocol if you are using multiple devices to check email. It doesn’t try to sync across devices. POP is also good to use if you have very little space allocated to you on the remote server, but you regularly send and receive large email attachments.
IMAP
IMAP stands for Internet Messaging Access Protocol. It was created in 1986. IMAP makes use of the remote email server. All messages are stored on the remote server. When you delete an email, it is deleted on the server. When you send an email, it is stored on the server. When you read an email, the server marks it as read. If you switch devices, your email inbox will look the same. It has a consistent experience across multiple devices. This is probably what you want to use most of the time.
Email Use Cases
Even if you follow this guide on picking an email service and you use an email client and use 2-factor authentication and inbound encrypt all your emails and use POP3, it’s likely that your correspondents are using Gmail, Outlook and Yahoo. Even though you could have the most secure email setup short of self-hosting, everyone you email is still using proprietary JavaScript with no 2FA unencrypted webmail with every email being parsed and sold to advertisers and mass surveilled. My point is don’t use email for personal correspondence. The fact is email is just an old insecure protocol. It doesn’t even use end to end encryption because it comes from a different era. You can use PGP to encrypt your emails, but it has so many problems that I can’t recommend it for regular use. Almost no one uses it, it’s difficult to use, and has many downsides. If you have to use email for personal or business correspondence, use PGP to encrypt. But the best advice I can give is just to avoid using email.
Email Privacy
The best time to use email is when it’s required. When you’re signing up for a website that requires email for instance. You don’t have to only have 1 email account either. I use several email aliases depending on the purpose. You can use different email accounts for every service you sign up for if you want. There’s throwaway email accounts available if you need to send or receive email quickly and then ditch the account. I wouldn’t recommend using email for receiving newsletters or information that you have another way of accessing. I might make another post talking about RSS, but it’s basically a web feed. RSS readers can pull content from all the websites that support RSS that you’re interested in without you actually visiting those sites. It’s a similar experience to using an email client, but with less of a digital footprint. With email, your email server has a record of which feeds you are subscribed to. With RSS, there is no “account”. No digital footprint showing you subscribed to that feed is necessarily created. If you anonymize RSS over Tor, then even a passive adversary like your ISP will have a hard time figuring out which news feeds you read. Even if you just visit the news site directly, that’s still arguably better for your privacy in terms of minimizing your digital footprint.
Multiple Accounts
In summary, the most privacy-preserving way to use email is to avoid using email for anything except website sign ups. Ironic, isn’t it? I just wrote paragraphs about the best way to use email and now I’m saying that you should avoid using it for most things. If you have the will, you can use a new email account for every site you sign up for to further enhance privacy. Using an email client will make it easier to manage so many accounts at the same time. You won’t have to reenter all your passwords every time to check your emails. If you are signed up for lots of services, this could be impractical. You might consider using several email accounts for “categories” of services instead of a separate email account for every single service you sign up for. The benefit of this is you don’t have all your eggs in one basket. If one of your email accounts gets compromised or snooped on, the others remain unaffected. Also keep in mind throwaway email services for one-off sending and receiving of emails.
If and how you segregate out your email accounts is up to you. This is just an optional extra step you can take. Using multiple email accounts doesn’t always make your emails more private or your accounts more secure. It just improves “unlinkability”. A common example of this is having a personal email and a work email. Keeping your personal life and your work life separate is important for many people. You wouldn’t want your workplace to know all the services you’re signed up for and you wouldn’t want to be receiving work emails on your personal email account.
Motivation
Those are my tips for getting the most out of email. It’s a lot of information to take in, but I wanted to be thorough. My motivation for writing this post as I said in the beginning was seeing the way most people use email. Until we have a widespread protocol that supersedes email, we should at least get the most out of it. And the way most people are using email right now is the absolute worst way to use it. There’s a lot of things in computing that aren’t harder to do a different way, it’s just that people haven’t been shown the better way of doing things. Most people don’t know anything beyond webmail despite the fact that email predates the web. I wrote this post to promote my preferred way of using email. I hope you have found it useful.